'It only takes one email': 3 reasons why China reading Obama administration private emails is even worse than it seems

U.S. President Barack Obama listens to a response from Chinese President Xi Jinping at The Annenberg Retreat at Sunnylands in Rancho Mirage, California June 7, 2013.
REUTERS/Kevin Lamarque
Chinese cyberspies have had access to the private email accounts of Obama administration officials and "top national security and trade officials" for at least five years, NBC has reported, adding to the long list of data breaches suffered by the US government at the hands of China in recent months and years.

What the Chinese found in the private email accounts of top US officials — vacation plans, notes to friends, and other everyday correspondences that pass through personal inboxes — likely bordered on the mundane.

But the fact that the hackers were able to breach the accounts in the first place and the potential fallout make it clear that the breach shouldn't be taken lightly.

Here are 3 reasons why:

Administration officials are falling for phishing attempts

The email breach shows that government employees are still the administration's weakest link in terms of cybersecurity.

At the highly technical Infiltrate hacking conference, a professional penetration tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a system is to bait an employee into clicking on an infected link in a seemingly innocuous email.

"People love to click on that blue line," Ray Boisvert, a veteran of Canada's intelligence services, told Business Insider at the conference.

From there, the hacker for hire can acquire the employee's username, passwords, and other sensitive information — which can lead a hacker into the larger system.

This tactic, known as "phishing," can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool that can trick even the savviest employees, let alone administration officials in their 50's and 60's whose work has only recently transitioned into the cyber realm.

President Obama meets with senior military leaders in the White House on May 16, 2013.Yuri Gripas / Reuters

Even if an individual has been trained by his or her agency to identify and avoid phishing scams, one cybersecurity course will not be enough to make that person change his or her behavior in the long run, especially if it's their personal email and their guard is down, cybersecurity expert Joe Loomis of Cybersponse told Business Insider.

"Statistically, if employees are not retrained to avoid phishing scams within 90 days, they start to click [on the malicious links] again," Loomis said, citing data provided by the cybersecurity company Phishbite.

Hackers may have access to far more than just email accounts

Moreover, by unknowingly clicking on malicious links in emails, officials likely gave hackers access to far more than just the contents of their inboxes.

The information that can be gleaned from someone's personal inbox goes beyond the mundane correspondences that often fill it, Loomis noted, especially when you have that person's passwords and, consequently, the keys to unlocking other areas of their digital lives.

"And it only takes one email to compromise the entire computer," he said. "These hackers cast a very wide net when choosing who to target, so that ultimately it becomes like shooting fish in a barrel."

"It's better to assume they've gotten a lot of intelligence this way than to say they haven't been successful," he added.

A political nightmare for Hillary, even if her private emails were secure

In March, Hillary Clinton admitted that she had used her private email address for work-related correspondences while serving as Secretary of State from 2009-2013.

Clinton's use of a private email address was not illegal, but it drew intense criticism from politicians and experts who feared she had been sharing sensitive national security information via the seemingly insecure clintonemail.com server. The server is now being investigated by the FBI.

Democratic presidential candidate Hillary Clinton speaks at a Service Employees International Union roundtable on Home Care at Los Angeles Trade-Technical College in Los Angeles, California August 6, 2015.
REUTERS/Mario Anzuoni

"In many ways, Hillary's private system would have been safer purely because it's a smaller target," Loomis noted. "Only she and a few other people are using it, she had a whole IT security team monitoring the system for breaches."

(In fact, Clinton has never provided details about her security team. A statement released by her team in March stated only that "robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.")

"Still, other candidates will probably jump on this and create a lot of fear and uncertainty about it," Loomis added. "It's an unfortunate example of being in the wrong place at the wrong time."

Presidential candidate Jeb Bush, one of Clinton's top GOP rivals, has already gone on the attack, tweeting that Clinton "should have known" better than to use a private email address for work.

New @nbc report confirms personal email more vulnerable to Chinese hacking &@HillaryClinton should have known that. http://t.co/u0hlTiLE6T— Jeb Bush (@JebBush) August 10, 2015

"Even if Clinton did nothing wrong, she'll be guilty by association at this point," Loomis said. "It's a political nightmare."